GFI Product Manual. Administrator Guide for ISA/TMG

Transcription

1 GFI Product Manual Administrator Guide for ISA/TMG

2 The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. All product and company names herein may be trademarks of their respective owners. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. GFI WebMonitor is copyright of GFI SOFTWARE Ltd GFI Software Ltd. All rights reserved. Document Version: Last updated (month/day/year): 8/27/2012

10 1 Introduction GFI WebMonitor is a comprehensive Internet usage monitoring solution that enables you to monitor and filter Web browsing and file downloads in real-time. It also enables you to optimize bandwidth by limiting access to streaming media, while enhancing network security with built-in tools that scan traffic for viruses, trojans, spyware and phishing material. It is the ideal solution to transparently and seamlessly exercise a substantial degree of control over your network users browsing and downloading habits. At the same time, it enables you to ensure legal liability and best practice initiatives without alienating network users. 1.1 About This Guide The aim of this guide is to help System Administrators install, configure and run GFI WebMonitor with minimum effort. It describes: The various network environments that GFI WebMonitor can support How to install GFI WebMonitor to monitor your environment How to get GFI WebMonitor running on default settings How to configure GFI WebMonitor to achieve results Terms Used in This Manual The following terms are used in this manual: Terms and Conventions Used in This Guide Table 1: Terms and conventions used in this manual TERM DESCRIPTION Additional information and references essential for the operation of GFI WebMonitor. Important notifications and cautions regarding potential issues that are commonly encountered. > Step by step navigational instructions to access a specific function. Bold text Italics text Code Items to select such as nodes, menu options or command buttons. Parameters and values that you must replace with the applicable value, such as custom paths and filenames. Indicates text values to key in, such as commands and addresses. For any technical terms and their definitions, refer to the Glossary section in this manual. 1.2 About GFI WebMonitor GFI WebMonitor is available in three editions: Table 2: GFI WebMonitor Editions EDITION WebFilter Edition WebSecurity Edition DESCRIPTION Increases productivity with Web Filtering and Web Browsing policies. Helps to optimize bandwidth use with Streaming Media policies and website categorization features. Additionally, Web Reputation Index and ThreatTrack help lower incidence of attacks and infringements. Provides a high degree of web security using combined tools that help mitigate phishing, malware, trojans and virus attacks. This is achieved through the built-in download control module and multiple anti-virus and anti-spyware engines. GFI WebMonitor 1 Introduction 10

11 EDITION Unified Protection Edition DESCRIPTION Provides all the features of the WebFilter Edition and the WebSecurity Edition in a single package. 1.3 How Does GFI WebMonitor Work? Figure 1: How Does GFI WebMonitor Work? 1. Request initiation: User requests a webpage or a download from the Internet. Incoming traffic generated by this request is forwarded to GFI WebMonitor. 2. Always Blocked/Always Allowed filtering: The internal GFI WebMonitor Always Blocked/Always Allowed filtering mechanism analyzes user ID, IP address and requested URL, taking the following actions: GFI WebMonitor 1 Introduction 11

12 Table 3: Always Blocked/Always Allowed filtering actions ACTION DESCRIPTION Blocks web traffic requests by adding users and/or IP addresses to the Always Blocked list, or Automatically allows web traffic requests Forwards web traffic requests (to the WebFiltering module) to access URLs in the Always Blocked list by allowed users and/or IP addresses, or to access allowed URLs by users and/or IP addresses that are neither in the Always Blocked list nor in the Always Allowed list to access URLs that are neither in the Always Blocked list nor in the Always Allowed list. 3. WebFilter module: Analyzes web traffic received from the Always Blocked/Always Allowed filtering mechanism against a list of categories stored in WebGrade database. These categories are used to classify and then filter web pages requested by users. For more information about these categories, refer to Knowledge Base article: GFI WebMonitor can Block, Warn and Allow or Quarantine web traffic according to configured policies. Quarantined web traffic can be manually approved or rejected by the administrators. Approved quarantined URLs are moved in Temporary Allowed area; a mechanism used to approve access to a site for a user or IP address for a temporary period. NOTE The WebFilter module is only available in the WebFilter Edition and the Unified Protection Edition of GFI WebMonitor. In the WebSecurity Edition, web traffic is sent directly from the Always Allowed/Always Blocked filtering mechanism to the WebSecurity module. 4. WebSecurity module: Analyzes web traffic through the download control module and scans incoming web traffic for viruses, spyware and other malware. GFI WebMonitor can Block, Warn and Allow or Quarantine suspicious material according to configured policies. Web traffic is also scanned for phishing material against a list of phishing sites stored in the updatable database of phishing sites. Web traffic generated from a known phishing element is rejected while approved web material is forwarded to the user. NOTE The WebSecurity module is only available in the WebSecurity Edition and Unified Protection Edition of GFI WebMonitor. In the WebFilter Edition, WebSecurity processing is not performed, and web traffic is forwarded on to the user. IMPORTANT Forwarding of approved web material by GFI WebMonitor to the user depends on the network environment; that is, where GFI WebMonitor is installed. GFI WebMonitor 1 Introduction 12

13 1.3.1 Downloading GFI WebMonitor GFI WebMonitor can be downloaded from: Licensing Information GFI WebMonitor counts either users or IP addresses for licensing purposes. You can configure a list of users or IP addresses who do not need to be monitored or protected so that these users do not consume a license. For more information, refer to Configuring Always Allowed List (page 91). IMPORTANT Unlicensed users are automatically allowed unrestricted and unfiltered access to the Internet. The traffic generated by these clients will not be monitored. For more information on how GFI WebMonitor counts users for licensing purposes, refer to Knowledge Base article: For more information about licensing, refer to GFI Software Ltd. website at: Upgrading In order to upgrade GFI WebMonitor, obtain the latest version from NOTE The upgrade procedure is similar to the installation procedure. NOTE If installing a new version of GFI WebMonitor on a different infrastructure, it is recommended to uninstall the previous version before installing the new one. 1.4 GFI WebMonitor Services The table below lists Windows services used by GFI WebMonitor. Table 4: GFI WebMonitor Windows Services SERVICE NAME GFI Proxy DESCRIPTION LOCATION AND NAME USER CRE- DEN- TIALS The GFI Proxy service is only created in the Standalone Proxy Version of GFI WebMonitor. It is used as an agent service for the Proxy server, ISAPI module and Web Filtering. <drive>:\program Files\GFI\WebMonitor\GFiProxy.exe Local System GFI WebMonitor 1 Introduction 13

14 SERVICE NAME GFI Web- Monitor DESCRIPTION LOCATION AND NAME USER CRE- DEN- TIALS The GFI WebMonitor service is used in both the ISA/TMG version and the Standalone Proxy version as a worker service. Its functionality includes: Scanning downloads via AV scanning engines. <drive>:\program Files\GFI\WebMonitor\WMonSrv.exe Administrator Managing content updates for the various GFI WebMonitor modules. Sending notification s to administrator and users. Provide services used to host admin UI. Loading WebGrade database to memory GFI Web- Monitor Core Service The GFI WebMonitor Core Service is composed by the following different components: WebMon.Common - Common data structures and algorithms WebMon.Core - Starts/Stops the IIS express process, Hosts the WCF services (AlertingService, AutoUpdateSettingsService, CategoryService, DataImporterService, DataLayerService, EngineStatusService, GeneralSettingsService, LicensingService, NetworkService, PolicySettingsService, ProxySettingsService, QuarantineService, ReporterService, ReportSettingsService, WebBrowsingService) <drive>:\program Files\GFI\WebMonitor Local System WebMon.ConfigManager - Handles the configurations files (config.db & xml settings) WebMon.Dal - Data persistence (FB & SQL Server) & data maintenance WebMon.DataAnonymizer - All data before going to the UI si filtered through this module WebMon.FilterComm - Used for communication with the Web- Monitor filter (e.g. reload of the settings, real time traffic, ) WebMon.MessageCollector - Reads the data from MSMQ sends it to the Alerter and SearchTerms modules for processing. Uses a new MSMQ queue to stock up to X requests or 1 min until they are send to the database, MSMQ is transactional and if the db is temporary offline no data will be lost WebMon.Alerter - Processes data received from the filter and triggers the alerts, also responsible for sending notifications generated by the core service WebMon.Net - Network related functionality (i.e. enumeration of sql servers or users from domains) WebMon.Reporter - Generates the reports for UI or scheduled reports WebMon.Scheduler - Schedules general purposes tasks like database maintenance, or scheduled reports WebMon.SearchTerms - Processes the data received from the filter and generates new events when a pattern has been matched, the search terms are in SearchTermsSettings.xml To view status of GFI WebMonitor services: 1. Click Start > Run and key in services.msc GFI WebMonitor 1 Introduction 14

17 EDITION WebSecurity Edition HARDWARE REQUIREMENTS Processor: 2.0 GHz RAM: 1 GB (Recommended 4GB) Unified Protection Edition Hard disk: 10 GB of available disk space Processor: 2.0 GHz RAM: 2 GB (Recommended 4GB) Hard disk: 12 GB of available disk space IMPORTANT GFI WebMonitor requires 2 network interface cards when installing in Gateway Mode or in a Microsoft ISA/TMG environment. When installing in Simple Proxy mode only 1 network interface card is required. NOTE Allocation of hard disk space depends on your environment. The size specified in the requirements is the minimum required to install and use GFI WebMonitor. The recommended size is between 150 and 250GB Microsoft ISA / Forefront TMG Mode Pre-requisites IMPORTANT Ensure that the listening port (default 8080) is not blocked by your firewall. For more information on how to enable firewall ports on Microsoft Windows Firewall, refer to Deployment Scenarios GFI WebMonitor can be deployed in three modes: In an Internet Gateway Environment In a Simple Proxy Environment In a Microsoft ISA Server or Forefront TMG environment Deployment depends on the network infrastructure and the network role of the machine where GFI WebMonitor is to be installed. The following diagram helps you choose the correct GFI WebMonitor installation mode to suit your environment. GFI WebMonitor 2 Installing GFI WebMonitor 17

18 Figure 2: Choosing your environment Deployment in a Microsoft ISA Server or Forefront TMG Environment GFI WebMonitor can complement the functionality provided by Microsoft ISA Server or Microsoft Forefront TMG. When installed in this environment, GFI WebMonitor enables the administrator to monitor users web traffic in real time. Screenshot 2: GFI WebMonitor installed on Microsoft ISA Server / Forefront TMG Users request a webpage or a download over the Internet. The incoming traffic generated by the request is received by Microsoft Server, which in turn refers to GFI WebMonitor to use the filtering mechanisms to analyze the request. To install GFI WebMonitor as a plug-in to Microsoft ISA Server / Forefront TMG, refer to the Installing GFI WebMonitor chapter in this manual. GFI WebMonitor 2 Installing GFI WebMonitor 18

19 2.3 Installing GFI WebMonitor for IsaTmg Introduction This chapter provides you with information related to the installation of GFI WebMonitor on Microsoft ISA Server / Forefront TMG Installation Procedure Run the installer as a user with administrative privileges on the target machine. 1. Double click the GFI WebMonitor executable file. 2. The installer checks if required components are installed, and automatically installs missing components. 3. Choose whether you want the installation wizard to search for a newer build of GFI WebMonitor on the GFI website and click Next. 4. Read the licensing agreement. To proceed with the installation select I accept the terms in the license agreement and click Next. Screenshot 3: Installation: Access Permissions 5. Key in the user name or the IP address that will be used to access the web interface of GFI WebMonitor and click Next. NOTE More than one user or machine can be specified. Separate entries with semicolons ; GFI WebMonitor 2 Installing GFI WebMonitor 19

20 Screenshot 4: Installation: Service Logon Information 6. Key in the logon credentials of an account with administrative privileges and click Next. NOTE The user account must have Log on as a service rights; otherwise, rights are automatically assigned. For more information, refer to Assigning Log On As A Service Rights (page 121). GFI WebMonitor 2 Installing GFI WebMonitor 20

22 3 Post Installation Actions After installation is complete, you need to perform a number of actions to ensure that GFI WebMonitor is deployed successfully. 3.1 Launching GFI WebMonitor Enter a Valid License Key Configure Proxy Settings Configuring FTP Step 1: Disabling Folder View in Microsoft Internet Explorer Step 2: Configuring Browsers to Use a Proxy Server Option 2: Configuring Proxy settings manually Option 1: Configuring Proxy settings automatically in Microsoft ISA Server and Microsoft Forefront TMG Step 3: Configuring FTP access Option 1: Restricting or denying FTP access in Microsoft ISA Server or Microsoft Forefront TMG Using the Settings Importer Tool Exporting / Importing Configuration Settings Launching GFI WebMonitor On the same machine where GFI WebMonitor is installed: There are 2 options for launching the GFI WebMonitor web console: Option 1: click Start > All Programs > GFI WebMonitor > GFI WebMonitor Management Console Option 2: Key in the URL in a web browser on the same machine. NOTE If using the GFI WebMonitor through the web browser interface on the same machine, Internet Explorer must be configured to use a proxy server. For more information refer to Configure Microsoft Internet Explorer to Use a Proxy Server. From a remote machine: To launch GFI WebMonitor installation from machines of users and/or IP addresses that were allowed access to the application, key in the URL in a web browser from their machine. The Internet browser must be configured to use specific proxy settings to enable this access. For more information, refer to Configure Proxy Settings (page 23). NOTE User access to the application can be granted either during installation or from the Remote Access Control node. GFI WebMonitor 3 Post Installation Actions 22

23 3.2 Enter a Valid License Key After GFI WebMonitor is installed, a valid license key is required to start monitoring traffic and creating policies. NOTE If you are evaluating GFI WebMonitor, a 30 day unlimited evaluation key will be sent by after registering. Screenshot 6: License key required To enter your license key: 1. Click Enter license key Enter your license key in the available field. 3. Click Apply. NOTE GFI WebMonitor enables you to update the license key manually after evaluating the product. For more information, refer to Updating License Manually (page 70). NOTE To activate license key, an Internet connection must be available. See Also: Licensing Information 3.3 Configure Proxy Settings Client Internet Browsers need to be configured to use GFI WebMonitor as the default proxy server. If this setting is not deployed, the client machines will by-pass GFI WebMonitor and the Internet traffic they generate will remain undetected. GFI WebMonitor 3 Post Installation Actions 23

24 Proxy settings can be configured manually, by carrying out the configuration on every machine on your network that is going to access the Internet, or through GPO (Group Policy Object), that lets you configure settings for a group of active directory users. 3.4 Configuring FTP Configure the user machines to route all FTP downloads through the Microsoft ISA Server / Forefront TMG proxy service. This can be achieved by: Disabling folder view in Microsoft Internet Explorer on each client machine Configuring Internet browsers to use specific proxy settings on each client machine either automatically or manually. Configuring FTP access in Microsoft ISA Server / Forefront TMG. FTP access can be configured by: Option 1: Restricting or denying FTP access Option 2: Disabling the FTP Access Filter NOTE To ensure that all users browse and download from FTP servers through proxy, the administrator should disable folder view and configure the proxy settings on the users machines Step 1: Disabling Folder View in Microsoft Internet Explorer To disable folder view in Microsoft Internet Explorer: 1. Launch Microsoft Internet Explorer on the client machine. 2. From Tools menu, choose Internet Options and select the Advanced tab. GFI WebMonitor 3 Post Installation Actions 24

37 Screenshot 20: Microsoft ISA Server: Add Users dialog 17. In the Add Users dialog, select Administrator, click Add and click Close. 18. Click Next and Finish. 19. Save settings before exiting. 3.5 Using the Settings Importer Tool The Settings Importer Tool is a command line tool that enables you to export settings from a configured GFI WebMonitor installation and import the same settings into a new installation. The tool is particularly useful when you have more than one GFI WebMonitor instance deployed in your organization. Using simple command line scripting, you can export and import GFI WebMonitor configurations to synchronize the multiple instances. The configuration settings are exported into a single file that can then be imported as required. This functionality ensures that any changes are replicated to all instances without having to synchronize manually Exporting / Importing Configuration Settings To use the Settings Importer Tool: 1. On the machine where GFI WebMonitor is installed, go to Start > Run and type cmd. This action calls the Microsoft Windows command line interface. 2. To list all the controls that can be used to operate the Settings Importer Tool, type: WebMon.SettingsImporterTool --help - for Windows 32-bit WebMon.SettingsImporterTool --help - For Windows 64-bit GFI WebMonitor 3 Post Installation Actions 37

38 Screenshot 21: Settings Importer Tool Controls NOTE The controls apply only when importing configuration settings. 3. The following are some examples on how to perform export and import functions: Example 1 - Exporting all settings: To export the current settings, type: WebMon.SettingsImporterTool -e Settings are exported to a single file and when the process is complete, the following message is displayed: Exported WebMonitor settings to C:Program Files\GFI\WebMonitor\<filename>.gz Example 2 - Importing settings: To import exported settings, type: WebMon.SettingsImporterTool -i /path=<filename>.gz When import is complete, the following message is displayed: Successfully imported <All> WebMonitor settings from <filename> GFI WebMonitor 3 Post Installation Actions 38

43 5. Limit access to specific web site categories based on time or bandwidth limits. Configure Web Browsing Quota Policies GFI also recommends to create an awareness policy with safe use guidelines for your employees. For more information refer to: GFI WebMonitor 4 Achieving Results 43

44 5 Using the Dashboard The GFI WebMonitor Dashboard provides quick insight to activity on your network. Use the following monitoring tools to identify potential problems: Table 7: Monitoring tools OPTION Overview Bandwidth Activity Security Real-Time Traffic Quarantine DESCRIPTION Provides a quick glance of current activity on the network, enabling you to identify network usage trends and tasks that need to be carried out by the administrator. Shows activity related to bandwidth consumption. Use the provided filters to spot downloads or uploads that are affecting your network performance. Gives you insight on different types of activity during specific times of the day. Displays activity related to security issues such as detection of infected files, malicious and phishing sites, as well as information related to the most common viruses attacking your network. Shows network traffic in real-time. Provides controls to authorize traffic that requires approval. NOTE If Anonymization is enabled, personal data (such as User Names and IPs) is masked. For more information on how to enable Anonymization refer to General Options. 5.1 Overview of Internet Activity On launching GFI WebMonitor, the overview page is displayed by default. GFI WebMonitor 5 Using the Dashboard 44

45 Screenshot 22: Dashboard Overview The page contains a graphical representation of Internet usage trends, such as: The bandwidth consumption for the current day Activity filtered by any configured policy Information related to searches performed by users Top categories and domains that are being accessed by users Top users and policies. GFI WebMonitor 5 Using the Dashboard 45

46 NOTE By default, the data provided in the Overview page is for the current week. This filter can be changed from the for period field in the top right corner of the screen. Screenshot 23: Using the calendar to set period WebGrade Categorization The Website Category Lookup area enables you to check the categorization of a URL and its Reputation Index. Screenshot 24: Website Category Lookup feature To check a website: 1. Type URL in the space provided. 2. Click icon. NOTE For more information, refer to Configuring Web Categorization (page 78) Pending Task List A list of important tasks is displayed in the Dashboard for the attention of the System Administrator. After performing a task, click to remove it from the list. GFI WebMonitor 5 Using the Dashboard 46

47 Screenshot 25: Pending tasks list IMPORTANT When a task is dismissed, it does not appear again on the dashboard Web Monitoring Status The Overview page displays statistics related to Internet use, such as the total number of Websites visited by all users, the number of infected files detected by GFI WebMonitor and the number of websites blocked by a configured policy. NOTE If Alerts are configured, a notification appears in the Overview window, above Monitor Status area. For more information, refer to Configuring Alerts (page 106). GFI WebMonitor 5 Using the Dashboard 47

49 Table 8: Product status overview STATUS Product Version Licensed Module Licensed Users Subscription DESCRIPTION Displays the current installed version of GFI WebMonitor and the build number. Check which modules are licensed and active. For more information, refer to Licensing Information (page 13). Shows the number of users being monitored. For more information on how GFI WebMonitor counts users for licensing purposes, refer to Knowledge Base article: Displays the date when the GFI WebMonitor license is due for renewal. 5.2 Monitoring Bandwidth The Bandwidth dashboard provides information related to traffic and user activity that affects bandwidth consumption. Filter data according to the following: Table 9: Bandwidth dashboard options OPTION All Bandwidth Download Only Upload Only DESCRIPTION Shows download and upload traffic. Displays only downloaded traffic. Displays only uploaded traffic. GFI WebMonitor 5 Using the Dashboard 49

50 Screenshot 28: Monitoring bandwidth NOTE Use the View by: filter in the top right corner of the page to view data for a specific date range. The lower portion of the Bandwidth page provides a breakdown of the data monitored in the specified period. Data is broken down as follows: Table 10: Bandwidth monitoring filtering options FILTER Categories Websites Users DESCRIPTION Select to view a list of categories and size of download for each category. A list of websites with respective download size. Data can be viewed by Domain or by Site using the provided controls. A list of users and the total size of downloads for a specified period. GFI WebMonitor 5 Using the Dashboard 50

51 FILTER Even Log DESCRIPTION Provides a log of all the web requests that fall within the specified period, displaying: Web Request - URL of request Time - date and time of request Download - size of download User - User name IP - IP address One-click Report Functionality After you customize the dashboard, the view can be exported as a report or scheduled to be sent automatically as required. Export Report To export the report: 1. From the top of the Dashboard, click and select Export Report. 2. GFI WebMonitor displays the exported report in a separate window in your browser. 3. Click and select one of the following options: Table 11: Export report options OPTION DESCRIPTION Excel The report is exported in Microsoft Excel format (.xls) PDF The report is exported in PDF format. Word The report is exported in Microsoft Word format (.doc) Schedule Report To schedule the report: 1. From the top of the Dashboard, click and select Schedule Report. 2. GFI WebMonitor redirects you automatically to the Reports area. For more information, refer to Reporting (page 60). 4. Save the report. IMPORTANT If Anonymization is enabled, personal data (such as User Names and IPs) will be masked. For more information refer to General Options. 5.3 Monitoring Activity The Activity dashboard provides information related to web requests and user activity for a specified period. Filter data according to the following: Table 12: Activity dashboard options OPTION All Activity DESCRIPTION Shows all web requests (filtered and unfiltered) made through GFI WebMonitor in the specified period. GFI WebMonitor 5 Using the Dashboard 51

52 OPTION Allowed Only Filtered Only Searches DESCRIPTION Displays only traffic that has been allowed by GFI WebMonitor. Displays only traffic that has been blocked by configured policies. Shows the activity related to searches performed by users. NOTE Use the View by: filter in the top right corner of the page to view data for a specific date range. Screenshot 29: Activity Dashboard The lower portion of the Activity page provides a breakdown of the data monitored in the specified period. Data is broken down as follows: GFI WebMonitor 5 Using the Dashboard 52

53 Table 13: Activity monitoring filtering options FILTER Categories Websites Users DESCRIPTION Select to view a list of categories with total number of Web Requests for each category. A list of websites with respective total number of Web Requests. Data can be viewed by Domain or by Site using the provided controls. A list of users and the total Surf Time and number of Web Requests for a specified period. NOTE Surf Time is an approximate time calculated by timing access to web sites. Every time a user accesses a website, 1 surf time minute will be added for that user. During this minute, the user can access other web sites without adding to the surf time. When the 1 minute has passed, another minute will be added if the user is still browsing. Event Log Provides a log of all the web requests that fall within the specified period, displaying: Web Request - URL of request Time - date and time of request Download - size of download User - User name IP - IP address One-click Report Functionality After you customize the dashboard, the view can be exported as a report or scheduled to be sent automatically as required. Export Report To export the report: 1. From the top of the Dashboard, click and select Export Report. 2. GFI WebMonitor displays the exported report in a separate window in your browser. 3. Click and select one of the following options: Table 14: Export report options OPTION DESCRIPTION Excel The report is exported in Microsoft Excel format (.xls) PDF The report is exported in PDF format. Word The report is exported in Microsoft Word format (.doc) Schedule Report To schedule the report: 1. From the top of the Dashboard, click and select Schedule Report. 2. GFI WebMonitor redirects you automatically to the Reports area. For more information, refer to Reporting (page 60). 4. Save the report. GFI WebMonitor 5 Using the Dashboard 53

54 IMPORTANT If Anonymization is enabled, personal data (such as User Names and IPs) will be masked. For more information refer to General Options. 5.4 Monitoring Security The Security dashboard provides information related to web requests and user activity for a specified period. The information provided enables you to identify security risks and threats to your network environment at a glance. Data is filtered to provide information related to: Table 15: Security dashboard options OPTION Infected Files Detected Malicious Sites Blocked Phishing Sites Blocked Top Virus DESCRIPTION Shows all files that have been detected as being infected by a virus by GFI WebMonitor for the selected period. Displays all the websites that have been detected as being malicious within the selected period. Displays all the sites that GFI WebMonitor has identified as known phishing websites within the selected time period. Shows the name of the top virus detected by GFI WebMonitor for the selected period. NOTE Use the View by: filter in the top right corner of the page to view data for a specific date range. GFI WebMonitor 5 Using the Dashboard 54

55 Screenshot 30: Security Dashboard The lower portion of the Security page provides a breakdown of the data monitored in the specified period. Click the available tabs to view information filtered by the following categories: Table 16: Security monitoring filtering options FILTER Viruses Policies Categories Websites Users DESCRIPTION A list of detected viruses, with the total number of Breaches. Affected policies are listed in this tab, together with the total number of Breaches and the name of the users who made the request. Select to view a list of categories with total number of Breaches for each category. A list of websites with respective total number of Breaches. Data can be viewed by Domain or by Site using the provided controls. A list of users and the total Breaches for a specified period, broken down under three headings: Infected, Malicious or Phishing. NOTE Surf Time is an approximate time calculated by timing access to web sites. Every time a user accesses a website, 1 surf time minute will be added for that user. During this minute, the user can access other web sites without adding to the surf time. When the 1 minute has passed, another minute will be added if the user is still browsing. Event Log Provides a log of all the web requests that fall within the specified period, displaying: Web Request - URL of request Time - date and time of request User - User name IP - IP address Reputation Index - the WebGrade index given to the accessed site Engine - the name of the engine that detected the threat GFI WebMonitor 5 Using the Dashboard 55

56 5.4.1 One-click Report Functionality After you customize the dashboard, the view can be exported as a report or scheduled to be sent automatically as required. Export Report To export the report: 1. From the top of the Dashboard, click and select Export Report. 2. GFI WebMonitor displays the exported report in a separate window in your browser. 3. Click and select one of the following options: Table 17: Export report options OPTION DESCRIPTION Excel The report is exported in Microsoft Excel format (.xls) PDF The report is exported in PDF format. Word The report is exported in Microsoft Word format (.doc) Schedule Report To schedule the report: 1. From the top of the Dashboard, click and select Schedule Report. 2. GFI WebMonitor redirects you automatically to the Reports area. For more information, refer to Reporting (page 60). 4. Save the report. IMPORTANT If Anonymization is enabled, personal data (such as User Names and IPs) will be masked. For more information refer to General Options. 5.5 Monitoring Real-Time Traffic The Real-Time Traffic dashboard enables you to monitor Internet usage in real-time. Monitor current active connections and terminate them if necessary (for example, streaming media or large unauthorized downloads), and view most recent connections. Real-time graphs of bandwidth and activity give you visual indicators of the current situation. IMPORTANT If Anonymization is enabled, personal data (such as User Names and IPs) will be masked. For more information refer to General Options. To access the Real-Time Traffic dashboard: 1. Go to Dashboard > Real-Time Traffic. GFI WebMonitor 5 Using the Dashboard 56

57 Screenshot 31: Real-Time Traffic Dashboard, Bandwidth monitoring 2. Click one of the following tabs: Table 18: Real-Time Traffic dashboard options OPTION Active Connections DESCRIPTION Provides information related to current active connections. Active connections can be terminated to free up bandwidth. Additional filtering is available by: Categories - Select to view a list of categories with total Web Requests and Bandwidth consumption for each category. Websites - A list of websites with respective total Web Requestsand Bandwidth consumption per site. Data can be viewed by Domain or by Site using the provided controls. Bandwidth Users - A list of users with total Web Requests and Bandwidth consumption per user. A graph displays the current bandwidth consumption in MB. Additional information includes: IP (User) Url Status Downloaded Uploaded GFI WebMonitor 5 Using the Dashboard 57

58 OPTION Activity DESCRIPTION Displays the number of current web requests IP (User) Url Status Downloaded Uploaded NOTE For Bandwidth and Activity real-time traffic graph, set the Auto refresh interval at the top right corner of the page. Default is set to Using Quarantine The Quarantine area holds filtered content until the administrator reviews the item and decides what action to take. Perform one of the following actions: Table 19: Quarantine options OPTION Approve Approve All Delete Delete All DESCRIPTION Approve a single item in the list. Approve all items in the list. Delete a single item in the list. Delete all items in the list. The Quarantine list is populated following actions taken by pre-configured policies. The policy which blocked the quarantined item will be listed under Policy Type, together with the user, details of the request, date and time. To approve or delete an item from the Quarantine list: 1. Go to Dashboard > Quarantine GFI WebMonitor 5 Using the Dashboard 58

60 6 Reporting GFI WebMonitor makes use of an in-built reporting engine that enables you to create reports without having to leave the GUI. You can create reports based on inclusions and exclusions of users, categories and websites thus making sure that reports are targeted and relevant. Use the reporting engine to create: Department based reporting that can be scheduled and sent to the relevant department heads Reports which exclude certain data such as salesforce.com, and other websites or data which is irrelevant Reports which only include certain categories of websites. For example, generate productivity loss reports where only Productivity Loss related categories are added to the report Need based reporting based on Browsing Activity / Bandwidth / Security and other needs Scheduled reports distributed in various formats. The following sections will help you configure and run the following: Activity Reports Bandwidth Reports Security Reports 6.1 Starred Reports Click Reports to access Starred Reports and create a list of frequently used reports. To add a report to the Starred Reports list: 1. Go to Reports > Bandwidth or Activity tab. 2. Click next to report name. GFI WebMonitor 6 Reporting 60

61 3. Starred reports will be marked with. 6.2 Activity Reports GFI WebMonitor offers a set of reports that help you monitor user activity on your network. You can modify existing reports or add new ones customized to your requirements. To use one of the above reports: 1. Go to Reports and select Activity tab. Screenshot 33: Default activity report list 2. Click one of the report names to edit or click Run to generate the report. NOTE Every report can be exported to Excel, PDF or Word, and can also be sent to a printer. See also: Cloning a report Editing Activity Report Editing Activity Reports To edit an activity report: 1. Go to Reports and select Activity tab. 2. Click report name to edit. GFI WebMonitor 6 Reporting 61

62 Screenshot 34: Editing a report 3. [Optional] Change the name of the report. 4. In the Data tab, select a Date Range from the drop down list. 5. In the Record Limit field, set the maximum number of records shown in the report. Default is set to 1000 per set. 6. In the Include area: a. Click Users / Groups tab and add the users or groups to include or exclude in the report. b. Click Categories tab to add the categories to include or exclude in the report c. Click Websites tab and add the domains to include or exclude in the report. d. Click Policies tab to add the policies to include or exclude in the report. You can add policies by name, by the action these policies perform (Limited or Warned) or by policy type (Download, Filter or Security). 7. Go to the Schedule tab and click ON to enable report scheduling. NOTE If the schedule is disabled, report is not automatically generated. GFI WebMonitor 6 Reporting 62

63 Screenshot 35: Scheduling an activity report 8. From the Runs area, select if report is going to be generated: Table 20: Activity report schedule options OPTION Once Daily Weekly Monthly DESCRIPTION In the Run On field, specify a date and time to generate the report one time. In the Run Every field, specify the interval in days after which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). In the Run Every field, specify the interval in weeks and use the Repeat On checkboxes to select the week days on which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). Use the Repeat On checkboxes to select the months in which the report will be generated. In the On field, specify the day of the month and use the At field to specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). 9. Go to Distribution tab and select one of the following options: Table 21: Activity report distribution options OPTION Distribute PDF Distribute XLS Distribute DOC DESCRIPTION Enable to save a PDF document in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.xls format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.doc format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by Click Save. 11. To generate the report, click Run. 6.3 Bandwidth Reports GFI WebMonitor offers a set of reports that help you monitor bandwidth activity on your network. Use these reports to identify non-productive traffic, download trends and usage patterns, so that adequate action can be taken if need be. You can modify existing reports or add new ones customized to your requirements. To use one of the above reports: 1. Go to Reports and select Bandwidth tab. GFI WebMonitor 6 Reporting 63

64 Screenshot 36: Default bandwidth reports list 2. Click one of the report names to edit or click Run to generate the report. NOTE Every report can be exported to Excel, PDF or Word, and can also be sent to a printer. See also: Cloning a report Editing Bandwidth Report Editing Bandwidth Reports To edit an bandwidth report: 1. Go to Reports and select Bandwidth tab. 2. Click report name to edit. Screenshot 37: Editing a report 3. [Optional] Change the name of the report. 4. In the Data tab, select a Date Range from the drop down list. GFI WebMonitor 6 Reporting 64

65 5. In the Record Limit field, set the maximum number of records shown in the report. Default is set to 1000 per set. 6. In the Include area: a. Click Users / Groups tab and add the users or groups to include or exclude in the report. b. Click Categories tab to add the categories to include or exclude in the report c. Click Websites tab and add the domains to include or exclude in the report. 7. Go to the Schedule tab and click ON to enable report scheduling. NOTE If the schedule is disabled, report is not automatically generated. Screenshot 38: Scheduling an activity report 8. From the Runs area, select if report is going to be generated: Table 22: Activity report schedule options OPTION Once Daily Weekly Monthly DESCRIPTION In the Run On field, specify a date and time to generate the report one time. In the Run Every field, specify the interval in days after which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). In the Run Every field, specify the interval in weeks and use the Repeat On checkboxes to select the week days on which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). Use the Repeat On checkboxes to select the months in which the report will be generated. In the On field, specify the day of the month and use the At field to specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). 9. Go to Distribution tab and select one of the following options: GFI WebMonitor 6 Reporting 65

66 Table 23: Activity report distribution options OPTION Distribute PDF Distribute XLS Distribute DOC DESCRIPTION Enable to save a PDF document in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.xls format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.doc format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by Click Save. 11. To generate the report, click Run. 6.4 Security Reports GFI WebMonitor offers a set of reports that help you monitor suspicious activity on your network. Use the Security Reports to identify: The amount of infected files detected by GFI WebMonitor Details of any Phishing sites blocked A list of viruses that threatened your organization's network. You can modify existing reports or add new ones customized to your requirements: 1. Go to Reports and select Security tab. Screenshot 39: Default Security reports list 2. Click one of the report names to edit or click Run to generate the report. NOTE Every report can be exported to Excel, PDF or Word, and can also be sent to a printer. See also: Cloning a report Editing Security Report GFI WebMonitor 6 Reporting 66

67 6.4.1 Editing Security Reports To edit a Security report: 1. Go to Reports and select Activity tab. 2. Click report name to edit. Screenshot 40: Editing a report 3. [Optional] Change the name of the report. 4. In the Data tab, select a Date Range from the drop down list. 5. In the Record Limit field, set the maximum number of records shown in the report. Default is set to 1000 per set. 6. In the Include area: a. Click Users / Groups tab and add the users or groups to include or exclude in the report. b. Click Categories tab to add the categories to include or exclude in the report c. Click Websites tab and add the domains to include or exclude in the report. 7. Go to the Schedule tab and click ON to enable report scheduling. NOTE If the schedule is disabled, report is not automatically generated. GFI WebMonitor 6 Reporting 67

68 Screenshot 41: Scheduling an activity report 8. From the Runs area, select if report is going to be generated: Table 24: Activity report schedule options OPTION Once Daily Weekly Monthly DESCRIPTION In the Run On field, specify a date and time to generate the report one time. In the Run Every field, specify the interval in days after which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). In the Run Every field, specify the interval in weeks and use the Repeat On checkboxes to select the week days on which to generate the report. In the At field, specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). Use the Repeat On checkboxes to select the months in which the report will be generated. In the On field, specify the day of the month and use the At field to specify at which time of day to execute the report. If you want the occurrence to end after a specified period, select On in the Repeat Endsarea and define the date, otherwise set the setting to Never (Default). 9. Go to Distribution tab and select one of the following options: Table 25: Activity report distribution options OPTION Distribute PDF Distribute XLS Distribute DOC DESCRIPTION Enable to save a PDF document in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.xls format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by . Enable to save a document in.doc format in the path specified in the Folder Destination field. [Optional] In the Recipients field, add a recipient address to send the document by Click Save. 11. To generate the report, click Run Cloning Reports All the default reports can be cloned to create new custom reports. To clone a report: GFI WebMonitor 6 Reporting 68

69 1. Go to Reports and select Bandwidth or Activity tab. 2. Click Edit Report next to the report you want to clone. 3. Change the name of the report and click Clone Report. GFI WebMonitor 6 Reporting 69

70 7 Configuring GFI WebMonitor This chapter assists in the configuration of the following: General settings 1. Licensing 2. Remote Access Control 3. Data Retention, Notification language and Anonymization 4. Auto-update of internal scanning engines 5. Web Categorization 6. Database settings Policies 1. Security policies 2. Internet policies 3. Download control policies 4. Always Blocked list, Always Allowed list and Temporary Allowed configuration Alerts 1. Monitoring, Bandwidth and Security alerts NOTE When you have more than one GFI WebMonitor instance deployed in your organization, use the Settings Importer Tool to quickly export settings from a configured GFI WebMonitor installation and import the same settings into a new installation. Using simple command line scripting, you can export and import GFI WebMonitor configurations to synchronize the multiple instances. For more information, refer to Using the Settings Importer Tool (page 37). 7.1 General Settings The following sections help you configure settings related to how GFI WebMonitor works. Table 26: General Settings OPTION Licensing Remote Access Control Auto-update Database Notifications Options Web categorization DESCRIPTION View current licensing configuration or update with a new license key. Configure windows authentication and create authorization rules to grant or deny user access to the application. Turn on or off auto-update settings for the core components of GFI WebMonitor Specify the backend database type for GFI WebMonitor Define settings for notifications related to administrative tasks. Configure data retention period, downloaded file cache size, notification language, expiry period for temporary allowed browsing and anonymization. Enable Web Categorization online lookup for web sites not found within the local database Updating License Manually To start using GFI WebMonitor, a valid license key must be activated. GFI WebMonitor 7 Configuring GFI WebMonitor 70

71 To update product license key: 1. Go to Settings > General > Licensing 2. Click Update License and enter license key. 3. Click Apply. NOTE To activate license key, an Internet connection must be available. See Also: Licensing Information. Post-Installation Actions Remote Access Control The Remote Access Control node enables you to: Turn Windows Authentication on or off for users defined in the configured Authorization Rules. When Windows Authentication is enabled, you can grant access to the GFI WebMonitor UI using Active Directory Users and Groups. For more information refer to Configuring Windows Authentication. Add new Authorization Rules to grant limited access to users to different sections of GFI Web- Monitor. Users, groups or IPs listed in the configured Authorization Rules will have access to limited views on the data so that, for example, Departmental Managers can access the Dashboards and Reports of members of their teams. For more information, refer to Add a New Authorization Rule (page 72). Configuring Windows Authentication When Windows Authentication is enabled, you can For more information, refer to Configuring Windows Authentication (page 71). IMPORTANT Users or groups specified in the Authorization Rules are allowed access only if their username is authenticated. To turn Windows Authentication on or off: 1. Go to Settings > General > Remote Access Control. GFI WebMonitor 7 Configuring GFI WebMonitor 71

72 Screenshot 42: Configuring Access Control 2. Next to Windows Authentication, click ON or OFF. Add a New Authorization Rule Configured Authorization Rules grant or deny access to users to different sections of GFI WebMonitor. Users, groups or IPs listed in the configured Authorization Rules will have access to limited views on the data so that, for example, Departmental Managers can access the Dashboards and Reports of members of their teams. To add a new Authorization Rule: 1. Go to Settings > General > Remote Access Control. 2. Click Add Authorization Rule. GFI WebMonitor 7 Configuring GFI WebMonitor 72

73 Screenshot 43: Adding a new Authorization Rule 3. In the Apply Rule to field, specify the User, Group or IP Address, to whom the rule will apply. Repeat for all required users, groups and/or IPs. IMPORTANT Users or groups specified in the Authorization Rules are allowed access only if Windows Authentication is enabled and their username is authenticated. When Windows Authentication is disabled, use IP addresses instead. For more information, refer to Configuring Windows Authentication (page 71). 4. In the Can View Data for field, specify the User, Group or IP Address, to whom the user specified in the previous step has access to. For example, John Smith, the Marketing Manager, has access to all users in the Marketing group. Repeat for all required users, groups and/or IPs. 5. In the Access Rights area, Allow or Block the following: OPTION View Dashboard DESCRIPTION When enabled, user can view Bandwidth, Activity and Security Dashboard. Access to Quarantine and Real Time Traffic dashboards can be granted or denied using additional controls. GFI WebMonitor 7 Configuring GFI WebMonitor 73

74 OPTION View Quarantine View Real Time Traffic View Reports Change Reports Change Settings DESCRIPTION This option is only available when View Dashboard is enabled. Click Allow to grant access to Quarantine area. When enabled, user can monitor Real-time traffic and terminate active connections. Click Allow to enable access to Reports node. User will be able to generate all configured reports. When enabled, user can modify, delete and create new reports. Only available if View Reports is enabled. When enabled, user is allowed access to Settings area and can modify GFI WebMonitor settings. 6. Click Save Configuring Auto-Update The Auto-Update page provides a centralized area where to configure auto-update settings for the core components of GFI WebMonitor. Screenshot 44: Configuring Auto-update To enable or disable auto-update for the available components: 1. Go to Settings > General > Auto-Update. 2. Click ON or OFF to enable or disable the components as required. GFI WebMonitor 7 Configuring GFI WebMonitor 74

75 NOTE It is recommended that all auto-updates are enabled for maximum protection Configuring Databases GFI WebMonitor supports two types of databases: Table 27: Back-end databases DATABASE Firebird Database Microsoft SQL Database DESCRIPTION Firebird is the default database, configured automatically with the installation. GFI WebMonitor supports both Microsoft SQL Express and Microsoft SQL server databases. The currently configured database can be viewed from Settings > General > Database. Screenshot 45: Configured database To change the current database configuration refer to the following sections: Configuring Firebird Database Configuring Microsoft SQL Database Configuring Firebird Database During installation, GFI WebMonitor automatically installs a Firebird database that is used by the application as the default database. The default path is: C:\Program Files\GFI\WebMonitor\Data\WEBMON.FDB. To change the default location of the Firebird database: 1. Go to C:\Program Files\GFI\WebMonitor\Data and copy the WEBMON.FDB file. 2. Save the copied file to the new location. 3. In GFI WebMonitor, go to Settings > General > Database. GFI WebMonitor 7 Configuring GFI WebMonitor 75

76 Screenshot 46: Configuring Databases 4. From Database Type, select Embedded. 5. In the Path field, change the path to the point to the new location. 6. Click Save. NOTE To create a new Firebird Database, enter a new database name in the following format: <database name>.fdb Configuring Microsoft SQL Database GFI WebMonitor supports both Microsoft SQL Server Express and Microsoft SQL Server databases. To point GFI WebMonitor to use a previously created Microsoft SQL Server database: 1. In GFI WebMonitor, go to Settings > General > Database. 2. From Database Type, select SQL Server. GFI WebMonitor 7 Configuring GFI WebMonitor 76

77 3. In the SQL Server field, type the SQL Server instance name. 4. In the Authentication area, select one of the following: Table 28: SQL Server Authentication method OPTION Windows Authentication SQL Server Authentication DESCRIPTION Select this option to use Windows credentials when connecting to your SQL Server. If your SQL Server has been installed in SQL Server Authentication Mode, select this option and provide Username and Password. 5. In the Database field, type the name of the database created in SQL Server. IMPORTANT Ensure that the database name entered is unique, otherwise you will overwrite the existing database. 6. Click Save. NOTE You can create a new database from within GFI WebMonitor. To create a new database, enter a new database name and click Save Configuring Notifications When Notifications are configured, GFI WebMonitor sends messages containing information related to tasks such as auto-updates and licensing issues to specified addresses. To change the administrative notifications setup configured during installation: 1. Go to Settings > General > Notifications. GFI WebMonitor 7 Configuring GFI WebMonitor 77

78 Screenshot 47: Configuring administrative notifications 2. Change any of the following options: Table 29: Configuring administrative notifications OPTION DESCRIPTION From address Specify the address from which notifications will be sent. SMTP Server Enter the name or IP of the SMTP server. SMTP Port Key in a port number. addresses Enter recipient addresses. 3. Click Save Configuring Web Categorization When GFI WebMonitor is installed, a database with a limited amount of categorized web sites is installed. GFI WebMonitor updates this local database on activation. Web categorization is a feature that connects to the Internet to look up URL's not found in the local database. For more information on website categorization refer to the following whitepaper: NOTE This feature is enabled by default. To disable Web Categorization, click OFF next to Online Lookup. GFI WebMonitor 7 Configuring GFI WebMonitor 78

80 7.2.1 WebFilter Edition Policies WebFilter edition includes policies related to time and bandwidth based browsing control, website categorization and URL filtering for increased productivity and security. The following sections help you: Configure Internet Policies Configure Always Blocked list Configure Always Allowed list Configure Temporary Allowed list Enabling or Disabling a Configured Policy To enable or disable a policy: 1. Go to Settings > Policies > Internet Policies. 2. Click ON to enable or OFF to disable the desired policy. Deleting a Policy To delete a policy click the Delete icon next to the policy to delete Configuring Internet Policies The following chapters guide you through the configuration of the following policies: POLICY Web Filtering Policy Web Browsing Quota Policy Instant Messaging and Social Control Policy Streaming Media Policy Search Engine Policy DESCRIPTION Exercise control over web browsing habits that can effect security, productivity, performance and legal issues. Control how your users browse specific categories or sites based on bandwidth or time thresholds. Provide control over the use of instant messaging clients. Define policies that block various types of streaming media across all websites. Provides monitoring and control over user searching habits. Web Filtering Policy Web filtering policies enable you to exercise control over web browsing habits that can effect security, productivity, performance and legal issues. A Default Web Filtering Policy is enabled when GFI WebMonitor is installed. It is pre-configured to apply to everyone and to allow web browsing of all categories. The default policy can be edited, but cannot be disabled or deleted. NOTE Certain fields in the default policy cannot be edited. These include Policy Name and Apply Policy To. IMPORTANT All added policies take priority over the default policy. GFI WebMonitor 7 Configuring GFI WebMonitor 80

81 To add a Web Filtering Policy: 1. Go to Settings > Policies > Internet Policies. 2. In the Web Filtering Policies area, click Add Policy. Screenshot 49: Creating a new Web Filtering policy 3. In the Policy Name field, type a policy name. 4. In the Filter area, select the categories to Allow, Block, Warn and Allow or Quarantine. 5. [Optional] Click Show Advanced Filtering to add conditions that override actions specified in the Filter area. 6. In the Exceptions area, use the Always block sites and Always allow sitesfields to key in specific URL's of websites to include or exclude from policy. GFI WebMonitor 7 Configuring GFI WebMonitor 81

82 Screenshot 50: Enabling reputation filtering 7. [Optional] In the Filter by Reputation area, click ON to enable filtering by reputation. The following table defines how reputation is classified within the categorization database: Table 30: Reputation index classification INDEX DEFINITION (1 20) High Risk (21 40) Suspicious (41 60) Moderate Risk (61 80) Low Risk (81 100) Trustworthy NOTE Setting up a Reputation Index of 40 or below blocks websites categorized as Unknown. When GFI WebMonitor is deployed, a local web categorization database is installed with a limited amount of entries. URL's not found in the local database will be automatically categorized as Unknown. Ensure that Online Lookup is enabled so that GFI WebMonitor can access a store of over 280 million websites. For more information, refer to Configuring Web Categorization (page 78). 8. In the Apply Policy To field, specify Users, Groups or IPsfor whom the new policy applies, and clickadd. 9. [Optional] In the Notify Breacher area, click ONto enable notifications to send when a user infringes policy. Provide the body text of the notification in the available space. 10. [Optional] Use the Notify Administrators area to send notifications when the downloaded content infringes this policy. Add the administrator s address and provide the body text of the notification In the Schedulearea specify the time period during which the new policy is enforced. 12. Click Save. See also: Cloning a Policy Web Browsing Quota Policy Create a Web Browsing Quota Policy to control how your users browse specific categories or sites based on bandwidth or time thresholds. To create a new Web Browsing Quota Policy: 1. Go to Settings > Policies > Internet Policies. 2. In the Web Browsing Quota Policy area, click Add Policy. GFI WebMonitor 7 Configuring GFI WebMonitor 82

83 Screenshot 51: Creating a new Web Browsing Quota Policy 3. In the Policy Name field, type a policy name. 4. In the Limit By area specify: a. If the threshold will be based on Bandwidth or Time b. The duration in hours or minutes c. If the duration is per day, week or month 5. In the Apply To area: a. Select which categories or sites are effected by policy. b. Add sites which are to be excluded from policy. 6. In the Apply Policy To field, specify Users, Groups or IPs for whom the new policy applies, then click Add. GFI WebMonitor 7 Configuring GFI WebMonitor 83

84 7. [Optional] In the Notify Breacher area, click ON to enable notifications to send when a user infringes this policy. Provide the body text of the notification in the available space. 8. [Optional] Use the Notify Administrators area to send notifications when the downloaded content infringes this policy. Add the administrator s address and provide the body text of the notification Click Save. NOTE To reset the Web Browsing Quota Policy, click the refresh icon from the Internet Policies page. See also: Cloning a Policy Instant Messaging and Social Control Policy Instant Messaging (or IM) and Social Control policies provide control over the use of instant messaging clients and social networking services. If a policy is breached, GFI WebMonitor uses the configured policy to determine what action to take. The Instant Messaging Policy feature can allow or block access to the following clients: MSN Messenger and Microsoft Windows Live Messenger Gmail Chat/GTalk and Yahoo! Messenger Facebook Chat Online instant messaging portals. Social Controls, grant or deny access to the following: facebook google+ Twitter Other social networking sites A Default IM and Social Control policy is enabled when GFI WebMonitor is installed. It is pre-configured to allow access to all instant messaging clients and social networking services to all users on your network. The default policy can be edited, but cannot be disabled or deleted. Any changes made to the default policy apply to all users. NOTE Certain fields in the default policy cannot be edited. These include Policy Name and Apply Policy To. GFI WebMonitor 7 Configuring GFI WebMonitor 84

85 IMPORTANT All added policies take priority over the default policy. To create a new IM Policy: 1. Go to Settings > Policies > Internet Policies. 2. In the Instant Messaging / Social Control Policies area, click Add Policy. Screenshot 52: Creating a new IM Policy 3. In the Policy Name field, type a policy name. 4. In the Filter area: GFI WebMonitor 7 Configuring GFI WebMonitor 85

86 Under Instant Messaging Controls, specify which instant messaging client to block or allow. Under Social Controls, specify which social networking service to block or allow. 5. In the Apply Policy To field, specify Users, Groups or IPs for whom the new policy applies, then click Add. NOTE It is recommended that only one IM Control Policy is applied to a user, a group and/or IP address. In cases where more than one IM Control Policy is applied to the same user, group or IP, the top most policy takes priority over subsequent policies. 6. [Optional] In the Notify Breacher area, click ON to enable notifications to send when a user infringes this policy. Provide the body text of the notification in the available space. 7. [Optional] Use the Notify Administrators area to send notifications when the downloaded content infringes this policy. Add the administrator s address and provide the body text of the notification Click Save. See also: Cloning a Policy Streaming Media Policy Streaming Media Policies enable you to define policies that block various types of streaming media across all websites. This conserves and optimizes bandwidth resources. A Default Streaming Media Policy is enabled when GFI WebMonitor is installed. It is pre-configured to allow streaming media access to everyone. The default policy can be edited, but cannot be disabled or deleted. NOTE Certain fields in the default policy cannot be edited. These include Policy Name and Apply Policy To. IMPORTANT All added policies take priority over the default policy. To add a Streaming Media Policy: 1. Go to Settings > Policies > Internet Policies. 2. In the Streaming Media Policies area, click Add Policy. GFI WebMonitor 7 Configuring GFI WebMonitor 86

87 Screenshot 53: Configuring Streaming Media policy 1 3. In the Policy Name field, type a policy name. 4. In the Filter area, select the Streaming Media Categories, Streaming Applications and Generic Site Streams to Allow or Block. 5. Use the Always block sites and Always allow sites fields to key in specific URL's of websites you would like included or excluded from the policy. 6.In the Apply Policy To field, specify Users, Groups or IPs for whom the new policy applies, then click Add. GFI WebMonitor 7 Configuring GFI WebMonitor 87

88 NOTE When keying in a User, specify the username in the format domain\user. When keying in a Client IP, you can use IP ranges (for example, includes these IP addresses: , and ). 7. [Optional] In the Notify Breacher area, click ON to enable notifications to send when a user infringes this policy. Provide the body text of the notification in the available space. 8. [Optional] Use the Notify Administrators area to send notifications when the downloaded content infringes this policy. Add the administrator s address and provide the body text of the notification In the Filter On area specify the time period during which the new policy will be enforced. 10. Click Save. See also: Cloning a Policy Search Engine Policies GFI WebMonitor has two search engine policies that are disabled by default when the product is installed. Safe Search Safe Search is a feature supported by a number of search engines. If enabled, GFI WebMonitor enforces filtering of explicit and images from user searches. Safe Search is compatible with the following search engines: Google Yahoo Lycos Bing. NOTE The Safe Search feature is available in the GFI WebMonitor WebFilter Edition. Screenshot 54: Safe Search and Search Terms Monitoring To enable Safe Search 1. Go to Settings > Internet Polices > Safe Search. GFI WebMonitor 7 Configuring GFI WebMonitor 88

89 2. Click ON. Search Terms Monitoring Search Terms Monitoring is a feature that monitors and logs terms used during searches. If enabled, you will be able to monitor what your users are searching for in various search engines to get a better insight on what users are using the web for. To enable Search Terms Monitoring 1. Go to Settings > Internet Polices > Search Terms Monitoring. 2. Click ON. To exclude users or IP addresses from monitoring: 1. Go to Settings > Internet Polices > Search Terms Monitoring. 2. Click Search Terms Monitoring. 3. Key in the User name or IP Address in the field provided and click Exclude Configuring Always Blocked List The Always Blocked list is a list of sites, users and IP addresses that should always be blocked. The Always Blocked list takes priority over all WebFilter and WebSecurity policies. NOTE If the items in the Always Blocked list are also added to the Always Allowed list, priority is granted to the Always Allowed list and access is granted. Adding Items to the Always Blocked list To add an item to the Always Blocked list: 1. Go to Settings > Policies > Always Blocked. GFI WebMonitor 7 Configuring GFI WebMonitor 89

90 Screenshot 55: Configuring Always Blocked list 2. Select User, Site or IP and key in the value in the space provided. 3. Click Add. 4. Click Save. NOTE When keying in a User, specify the username in the format domain\user. When keying in a Client IP, you can use IP ranges (for example, includes these IP addresses: , and ). NOTE When keying in a URL for a website you can use the wildcard character [*], for example: Type *.com to allow or block all '.com' top-level domains Type *.website.com to allow or block all sub-domains of 'website.com' Deleting Items From the Always Blocked list To delete an item from the Always Blocked list: 1. Go to Settings > Policies > Always Blocked. 2. Click the Delete icon next to the item to delete. 3. Click Save. GFI WebMonitor 7 Configuring GFI WebMonitor 90

91 7.2.5 Configuring Always Allowed List The Always Allowed list is a list of sites, users and IP addresses that are automatically excluded from all filtering policies configured in GFI WebMonitor. Besides the Always Allowed list, there is also a Temporary Allowed list that is used to temporarily approve access to a site for a user or IP address. IMPORTANT In GFI WebMonitor, the Temporary Allowed list takes priority over the Always Allowed list. Furthermore, both Always Allowed lists take priority over the Always Blocked list. Therefore, if a site is listed in the Always Allowed or Temporary Allowed lists and that same site is listed in the Always Blocked list, access to the site is allowed. Pre-configured Items By default, GFI WebMonitor includes a number of pre-configured sites in the Always Allowed list. These include GFI Software Ltd websites to allow automatic updates to GFI WebMonitor and Microsoft websites to allow automatic updates to Windows. Removing any of these sites may stop important updates from being automatically effected. GFI WebMonitor 7 Configuring GFI WebMonitor 91

92 Adding Items to the Always Allowed List Screenshot 56: Adding items to Always Allowed list To add an item to the Always Allowed list: 1. Go to Settings > Policies > Always Allowed. 2. In the Grant To field, select User, Site or IP and key in the value in the space provided. 3. Click Add. 4. Click Save. NOTE When keying in a User, specify the username in the format domain\user. When keying in a Client IP, you can use IP ranges (for example, includes these IP addresses: , and ). GFI WebMonitor 7 Configuring GFI WebMonitor 92

93 NOTE When keying in a URL for a website you can use the wildcard character [*], for example: Type *.com to allow or block all '.com' top-level domains Type *.website.com to allow or block all sub-domains of 'website.com' Deleting Items From the Always Allowed List To delete an item from the Always Allowed list: 1. Go to Settings > Policies > Always Allowed. 2. Click the Delete icon next to the item to delete. 3. Click Save Configuring Temporary Allowed List The Temporary Allowed List is a list of URL's, users or IP addresses that are allowed to bypass all web filtering polices for a specified amount of time. The list is populated either automatically with items approved from quarantine or manually by adding specific entries. To manually configure temporary access to sites, users or IP addresses: 1. Go to Settings > Policies > Temporary Allowed List. Screenshot 57: Configuring Temporary Allowed list 2. In the Grant To field, select User or IP and key in the user or IP address to grant access to in the space provided. 3. In the Access To field, type the URL of the website to grant access to. 4. In the Active until area, select the date and time during which the policy will be active. 5. Click Save. Deleting Items From the Temporary Allowed list To delete an item from the Temporary Allowed list: 1. Go to Settings > Policies > Temporary Allowed. 2. Click the Delete icon next to the item to delete. GFI WebMonitor 7 Configuring GFI WebMonitor 93

94 3. Click Save WebSecurity Edition Policies WebSecurity edition includes download control, virus scanning through multiple anti-virus engines and anti-phishing as well as control for most IM clients. The following sections help you: Configure Security Policies Configure Download Policies Configure Security Engines Enabling or Disabling a Configured Policy To enable or disable a policy: 1. Go to Settings > Policies > Security Policies. 2. Click ON to enable or OFF to disable the desired policy. Deleting a Policy To delete a policy click the Delete icon next to the policy to delete Configuring Security Policies A default security policy is enabled when GFI WebMonitor is installed. It is pre-configured to apply to every user on the domain and to allow web browsing of all categories. This policy is called Default Virus Scanning Policy, and can be edited, but not disabled or deleted. NOTE Certain fields in the default policy cannot be edited. These include Policy Name and Apply Policy To. IMPORTANT All added policies take priority over the default policy. To edit the Default Virus Scanning Policy: 1. Go to Settings > Policies > Security Policies. 2. Under Configured Virus Scanning Policy, click Default Virus Scanning Policy. GFI WebMonitor 7 Configuring GFI WebMonitor 94

95 Screenshot 58: Configuring Default Virus Scanning Policy 3. In the Policy Name field enter a name for the new policy. This field is not available when editing the Default Virus Scanning Policy. 4. In the Scan area, select the action to perform for the required Content Types: Table 31: Scanning options OPTION DESCRIPTION Scan - select to enable scanning of web traffic related to a content type. If disabled, web requests are allowed without being scanned by the configured anti virus engines. Show download progress window - When enabled, a progress window is displayed during downloads. Block - select to block the content type completely. Warn and allow - when selected, users receive a warning that their web request or download is against company policy, but their action is still allowed. GFI WebMonitor 7 Configuring GFI WebMonitor 95

96 OPTION DESCRIPTION Quarantine - the requested web page or download is sent to a quarantine area within GFI WebMonitor, from where the Systems Administrator can then approve or decline the request. For more information, refer to Using Quarantine (page 58). 5. [Optional] To define custom content types, click Show Custom Content Types, then: a. Click Add Content Type. b. In the Content Type field, enter the string for the file type to add. NOTE This must be a MIME type, for example, if you want to add a content type for *.gif, type: image/gif. c. In the Description field, enter a description. d. Define the actions to take when the content type is downloaded. e. Click OK. 6. Select the virus scanning engines to use by switching the available engines On or Off as required. 7. In the Apply Policy To field, specify Users, Groups or IPs for whom the new policy applies, and click Apply To. This field is not available when editing the Default Virus Scanning Policy. 8. [Optional] In the Notify Breacher area, click ON to enable notifications. You can also edit the notification message in the Message to Policy Breacher window. GFI WebMonitor 7 Configuring GFI WebMonitor 96

97 9. [Optional] In the Notify Administrators area, click ON to enable notifications. Specify an address in the available box and click Add. You can also edit the notification message in the Message to Policy Breacher window. 10. Click Save. IMPORTANT You can add as many policies as required, however the top most policy has precedence over the ones below it. IMPORTANT Click Save before you navigate away from page. See also: Cloning a Policy Adding a New Security Policy Adding a New Security Policy To add a new Security Policy: 1. Go to Settings > Policies > Security Policies. 2. Click Add Policy. GFI WebMonitor 7 Configuring GFI WebMonitor 97

98 Screenshot 59: Creating a new Security Policy 3. In the Policy Name field enter a name for the new policy. This field is not available when editing the Default Virus Scanning Policy. 4. In the Scan area, select the action to perform for the required Content Types: Table 32: Scanning options OPTION DESCRIPTION Scan - select to enable scanning of web traffic related to a content type. If disabled, web requests are allowed without being scanned by the configured anti virus engines. Show download progress window - When enabled, a progress window is displayed during downloads. Block - select to block the content type completely. GFI WebMonitor 7 Configuring GFI WebMonitor 98

99 OPTION DESCRIPTION Warn and allow - when selected, users receive a warning that their web request or download is against company policy, but their action is still allowed. Quarantine - the requested web page or download is sent to a quarantine area within GFI WebMonitor, from where the Systems Administrator can then approve or decline the request. For more information, refer to Using Quarantine (page 58). 5. [Optional] To define custom content types, click Show Custom Content Types, then: a. Click Add Content Type. b. In the Content Type field, enter the string for the file type to add. NOTE This must be a MIME type, for example, if you want to add a content type for *.gif, type: image/gif. c. In the Description field, enter a description. d. Define the actions to take when the content type is downloaded. e. Click OK. 6. Select the virus scanning engines to use by switching the available engines On or Off as required. 7. In the Apply Policy To field, specify Users, Groups or IPs for whom the new policy applies, and click Apply To. This field is not available when editing the Default Virus Scanning Policy. 8. [Optional] In the Notify Breacher area, click ON to enable notifications. You can also edit the notification message in the Message to Policy Breacher window. GFI WebMonitor 7 Configuring GFI WebMonitor 99

100 9. [Optional] In the Notify Administrators area, click ON to enable notifications. Specify an address in the available box and click Add. You can also edit the notification message in the Message to Policy Breacher window. 10. Click Save. IMPORTANT You can add as many policies as required, however the top most policy has precedence over the ones below it. IMPORTANT Click Save before you navigate away from page. See also: Cloning a Policy Configuring Security Engines By default, all the Security Engines in GFI WebMonitor are enabled. To turn off a security engine: 1. Go to Settings > Security Policies. Screenshot 60: Configuring Security Engines 2. In the Security Engines area, click OFF next to the engine you want to disable. To perform additional configuration refer to the following sections: GFI WebMonitor 7 Configuring GFI WebMonitor 100

101 Configuring Kaspersky Configuring Anti Phishing Configuring ThreatTrack Configuring Kaspersky The Kaspersky anti-virus scanning engine enables you to state whether the actions specified in the Virus Scanning Policies should also be used when files are identified as: Table 33: Kaspersky engine options OPTION Suspicious Corrupted Hidden DESCRIPTION Files identified as suspicious. Files that cannot be scanned since the file format is corrupted, for example, corrupted CAB files. Files that cannot be scanned since the contents are protected, for example, password protected ZIP files. To configure Kaspersky: 1. Go to Settings > Policies > Security Policies. 2. Click Kaspersky. Screenshot 61: Configuring Kaspersky security engine 3. Next to Suspicious, click ON to enable scanning of files considered to be suspicious. 4. Next to Corrupted, click ON to enable scanning of corrupted files. 5. Next to Hidden, click ON to enable scanning of protected files. 6. Click Save Configuring Anti Phishing Notifications You can set up notifications that inform users whenever GFI WebMonitor protects them from known phishing sites. To configure notifications: 1. Go to Settings > Policies > Security Policies. 2. Click Anti-Phishing. 3. Next to Notify Breacher, click ON to enable notifications to be sent to the person attempting to access a known phishing site. GFI WebMonitor 7 Configuring GFI WebMonitor 101

102 4. Next to Notify Administrators, click ON to enable notifications, then specify the addresses of the persons who need to be notified. 5. Click Save Configuring ThreatTrack The ThreatTrack protection feature ensures that the latest malware and phishing threats are blocked even when originating from compromised legitimate sites. If enabled, GFI WebMonitor automatically blocks sites confirmed to be distributing malicious content or used for phishing purposes. To configure ThreatTrack: 1. Go to Settings > Policies > Security Policies. 2. Click ThreatTrack. Screenshot 62: Configuring ThreatTrack notifications 3. Next to Notify Breacher, click ON to enable notifications to be sent to the person attempting to access a known ThreatTrack site. 4. Next to Notify Administrators, click ON to enable notifications, then specify the addresses of the persons who need to be notified. 5. Click Save. GFI WebMonitor 7 Configuring GFI WebMonitor 102

103 Configuring Download Policies Download Policies enable you to manage file downloads based on file types. If a user tries to download a file that triggers a Download Policy, GFI WebMonitor determines what action to take, according to what you configured in that policy. This may be one of the following actions: Allow file download Quarantine downloaded file Block file from being downloaded A Default Download Policy is enabled when GFI WebMonitor is installed. It is pre-configured to apply to everyone and to allow downloads of all file types. The default download policy can be edited, but cannot be disabled or deleted. NOTE Certain fields in the default policy cannot be edited. These include Policy Name and Apply Policy To. IMPORTANT All added policies take priority over the default policy. NOTE It is recommended that only one Download Policy is applied to a user, a group or IP address. In cases where more than one Download Policy is applied to the same user, group or IP, the top most policy takes priority over subsequent policies. Enabling or Disabling a Download Policy To enable or disable a Download Policy: 1. Go to Settings > Policies > Download Policies. 2. Click ON to enable or OFF to disable the policy. Deleting a Download Control Policy To delete a Download Control Policy click the Delete icon next to the policy to delete. See also: Cloning a Policy Adding a New Download Policy Editing an Existing Download Policy Adding a New Download Policy To add a Download Policy: 1. Go to Settings > Policies > Download Policies. GFI WebMonitor 7 Configuring GFI WebMonitor 103

104 Screenshot 63: New download policy 2. Click Add Policy. 3. In the Policy Name field, key in a Policy Name. 4. From the Filter area, select action to be taken for file types. Available options are: Table 34: Filtering options OPTION DESCRIPTION Allow - select to allow downloads for content type. Block - select to block the content type completely. Quarantine - the requested download is sent to a quarantine area within GFI WebMonitor, from where the Systems Administrator can then approve or decline the request. For more information, refer to Using Quarantine (page 58). GFI WebMonitor 7 Configuring GFI WebMonitor 104

105 NOTE These settings can also be configured by clicking on a file type and selecting the desired Action. A description about each file type is also provided. 5. [Optional] To add custom file types not present in the pre-defined list, click Show Custom Content Types, then click Add Content-typeto add new file types. 6. In the Apply Policy To field, specify Users, Groups or IPsfor whom the new policy applies, and clickadd. NOTE When keying in a User, specify the username in the format domain\user. When keying in a Client IP, you can use IP ranges (for example, includes these IP addresses: , and ). 7. [Optional] In the Notify Breacher area, click ON to enable notifications to send when a user infringes this policy. Provide the body text of the notification in the available space. 8. [Optional] To send a notification to administrators when the downloaded content infringes this policy, click ON in the Notify Administrators area. Add the administrator s address and provide the body text of the notification in the available space. 9. Click Save. See also: Cloning a Policy Configuring Download Policies Editing an Existing Download Policy Editing an Existing Download Policy To edit a Download Control Policy: 1. Go to Settings > Policies > Download Policies. 2. Click the policy name to edit. 3. Change the required settings. 4. Click Save. See also: Cloning a Policy Configuring Download Policies Adding a New Download Policy Cloning a Policy Existing WebFiltering and WebSecurity policies can be cloned to quickly create new polices which can then be edited as required. To clone a policy: GFI WebMonitor 7 Configuring GFI WebMonitor 105

106 1. Go to Settings > Policies 2. Select Security Polices, Internet Policies or Download Policies. 3. Click the policy name you want to edit. 4. Click Clone Policy. NOTE Default policies cannot be cloned. 7.3 Configuring Alerts GFI WebMonitor lets you configure alerts based on specific usage patterns, such as warnings bypassed or sites that have been blocked by configured policies. The following sections will help you configure the following: Configuring Monitoring Alerts Configuring Bandwidth Alerts Configuring Security Alerts Configuring Monitoring Alerts Monitoring Alerts can be set up to send notifications when specific policies are triggered off. For example, if you have configured an Internet browsing policy that allows browsing Social Networks for X hours, you may want to notify the user or management when this threshold is exceeded. To configure monitoring alerts: 1. Go to Settings > Alerts > Monitoring Alerts. 2. Click Add Alert. GFI WebMonitor 7 Configuring GFI WebMonitor 106

107 Screenshot 64: Configuring Monitoring alerts 3. In the Alert Name filed, key in a name. 4. In the Trigger base on area, select a one of the following options: Sites Accessed - the alert will be triggered if the total number of specified sites is exceeded Blocks - selected users will be notified when the specified number of Blocks is exceeded Warnings Bypassed - selected users will be notified when the specified number of bypassed warnings is exceeded 5. In the Threshold area, specify a number that will trigger the alert if exceeded. 6. Specify the frequency that GFI WebMonitor checks against the specified threshold. Time intervals can be set to: Hour Day Week GFI WebMonitor 7 Configuring GFI WebMonitor 107

108 7. In the Apply to field, select a category from the available list and click Add. 8. In the Notify field, specify users or groups who need to be notified, then click Add. 9. In the Notify user field, Click ON and type the alert message in the Message to user field. 10. Click Save Configuring Bandwidth Alerts To configure bandwidth alerts: 1. Go to Settings > Alerts > Bandwidth Alerts. 2. Click Add Alert. Screenshot 65: Configuring Bandwidth alerts 3. In the Alert Name field, key in a name. 4. In the Trigger base on area, select a one of the following options: GFI WebMonitor 7 Configuring GFI WebMonitor 108

109 Table 35: Bandwidth alert trigger options TRIGGER DESCRIPTION Total Bandwidth Alert will be triggered if the total specified bandwidth is exceeded. Downloads Selected users will be notified when the specified download limit is exceeded. Uploads Selected users will be notified when the specified upload limit is exceeded. 5. In the Threshold area, specify the size of data in MB or GB that triggers the alert. Specify if this amount is applicable per user or for all users on domain. 6. Specify the frequency that GFI WebMonitor checks against the specified threshold. Time intervals can be set to: Hour Day Week 7. In the Filter on options, select the type of filtering to use. These can be: Table 36: Bandwidth alerts filtering options FILTER No Filter Categories Content type DESCRIPTION Select this option to make the alert available on all type of traffic. Select desired categories from a predefined list and click Add. Select desired content types from a predefined list and click Add. 8. In the Notify field, specify the users or groups to notify and click Add. 9. In the Notify user field, click ON and type the alert message in the Message to user field. 10. Click Save Configuring Security Alerts To configure security alerts: 1. Go to Settings > Alerts > Security Alerts. 2. Click Add Alert. GFI WebMonitor 7 Configuring GFI WebMonitor 109

110 Screenshot 66: Configuring Security alerts 3. In the Alert Name filed, key in a name. 4. In the Trigger for area, select any of the following options: Table 37: Security alerts trigger options TRIGGER Anti-Virus Anti-Phishing ThreatTrack DESCRIPTION Alert will be triggered when the number of blocks made by the Anti-virus engine exceeds the threshold specified in the next step. Alert will be triggered when the number of blocks made by the Anti-phishing engine exceeds the threshold specified in the next step. Alert will be triggered when the number of blocks made by the ThreatTrack engine exceeds the threshold specified in the next step. 5. In the Threshold area, specify the total hits that will trigger the alert when exceeded. This setting will apply for the selected security engines. 6. Specify the frequency that GFI WebMonitor checks against the specified threshold. Time intervals can be set to: Hour Day Week 7. In the Notify field, specify users or groups who need to be notified, then click Add. GFI WebMonitor 7 Configuring GFI WebMonitor 110

112 8 Troubleshooting and support 8.1 Introduction This chapter explains how to resolve any issues encountered during installation of GFI WebMonitor. The main sources of information available to solve these issues are: This manual - most issues can be solved through the information in this section. GFI Knowledge Base articles Web forum Contacting GFI Technical Support 8.2 GFI SkyNet GFI maintains a comprehensive knowledge base repository, which includes answers to the most common problems. GFI SkyNet always has the most up-to-date listing of technical support questions and patches. In case that the information in this guide does not solve your problems, next refer to GFI SkyNet by visiting: Web Forum User to user technical support is available via the GFI web forum. Access the web forum by visiting: Request Technical Support If none of the resources listed above enable you to solve your issues, contact the GFI Technical Support team by filling in an online support request form or by phone. Online: Fill out the support request form and follow the instructions on this page closely to submit your support request on: Phone: To obtain the correct technical support phone number for your region visit: NOTE Before contacting Technical Support, have your Customer ID available. Your Customer ID is the online account number that is assigned to you when first registering your license keys in the GFI Customer Area at: We will answer your query within 24 hours or less, depending on your time zone. 8.5 Documentation If this manual does not satisfy your expectations, or if you think that this documentation can be improved in any way, let us know via on: GFI WebMonitor 8 Troubleshooting and support 112

113 8.6 Common Issues Table 38: Common troubleshooting issues ISSUE ENCOUNTERED WebFilter module fails to register correctly on all members of the array when GFI WebMonitor is installed on Microsoft TMG (where Microsoft TMG is in array of other Microsoft TMG Severs) Users are not able to browse and/or download from the Internet after installing GFI WebMonitor in Gateway or in Simple Proxy mode. Client browsers are still retrieving old proxy Internet settings although the browsers are configured to automatically detect settings. Users are still required to authenticate themselves manually when browsing, even when Integrated authentication is used. SOLUTION The GFI WebMonitor DLL does not get registered and needs to be registered manually. Run the command regsrv32 webmonplg.dll from the folder that contains the webmonplg.dll. This is typically located in the Microsoft ISA or Microsoft TMG folder on each server where GFI WebMonitor is installed. After the installation, GFI WebMonitor proxy machine has to be configured to listen for incoming user requests. Next, Internet browsers on client machines have to be configured to use the GFI WebMonitor proxy machine as the default proxy. For more information, refer to Post Installation Actions (page 22). In the event that the users are still not able to browse and/or download from the Internet, add an exception rule in the firewall on the GFI WebMonitor proxy machine to allow incoming TCP traffic on port For more information on how to enable firewall ports on Windows Firewall, refer to Internet explorer may not refresh cached Internet settings so client browsers will retrieve old Internet settings. Refreshing settings is a manual process on each client browser. For more information, refer to the Refresh cached Internet Explorer settings section within the Miscellaneous chapter in GFI WebMonitor Getting Started Guide. Or visit: Integrated authentication will fail when GFI WebMonitor is installed on a Windows XP Pro machine that has never been joined to a Domain Controller and where the Network access setting is set to Guest only - local users authenticate as Guest. GFI WebMonitor 8 Troubleshooting and support 113

114 ISSUE ENCOUNTERED Users using Mozilla Firefox browsers are repeatedly asked to key in credentials after installing GFI WebMonitor in Gateway or in Simple Proxy mode. SOLUTION The server and the client machine will use NTLMv2 for authentication when: GFI WebMonitor is installed on Windows Server 2008 and LAN Manager authentication security policy is defined as Send NTLMv2 response only and The client machine LAN Manager is not defined (this is the default setting in Windows 7) NTLMv2 is not supported in Mozilla Firefox and the user s browser will repeatedly ask for credentials. To solve this issue do one of the following : 1. Navigate to Configuration > Proxy Settings. 2. In the Network Configuration area select the Use WPAD for network clients checkbox. 3. Select Publish the host name of the GFI WebMonitor proxy in WPAD. Or change authentication mechanism on either of the following: On GFI WebMonitor server (Windows Server 2008): 1. Navigate to Start > Administrative Tools > Local Security Policy. 2. Expand Local Policies > Security Options. 3. Right-click Network Security: LAN Manager authentication level from the right panel and click Properties. 4. Select Local Security Setting tab in the Network Security: LAN Manager authentication level Properties dialog. 5. Select Send LM & NTLM - use NTLMv2 session security if negotiated from the Network security drop-down list. 6. Click Apply and OK. 7. Close Local Security Policy dialog. 8. Close all open windows. Client machines (Microsoft Windows 7) using Active Directory GPO: 1. Navigate to Start > Control Panel > System and Security > Administrative Tools > Local Security Policy. 2. Expand Local Policies > Security Options. 3. Right-click Network Security: LAN Manager authentication level from the right panel and click Properties. 4. Select Local Security Setting tab in the Network Security: LAN Manager authentication level Properties dialog. 5. Select Send LM & NTLM - use NTLMv2 session security if negotiated from the Network security drop-down list. 6. Click Apply and OK. 7. Close Local Security Policy dialog. 8. Close all open windows. For more information visit: GFI WebMonitor 8 Troubleshooting and support 114

115 9 Glossary A Access Control "A feature that allows or denies users access to resources, for example, Internet access." Active Directory AD "A technology that provides a variety of network services, including LDAP-like directory services." See Active Directory Administrator The person responsible for installing and configuring GFI WebMonitor. Always Allowed List A list that contains information about what should be allowed by GFI WebMonitor. Always Blocked List A list that contains information about what should be blocked by GFI WebMonitor. Anti-virus Software that detects viruses on a computer. B Bandwidth The maximum amount of data transferred over a medium. Typically measured in bits per second. C Cache CER A location where GFI WebMonitor temporarily keeps downloaded files. This will speed up subsequent requests for the same file as GFI WebMonitor would serve the file directly from the cache instead of downloading it again. See CER file format CER file format A certificate file format that contains the certificate data but not the private key. Certificate Revocation List A list issued by a Certification Authority listing HTTPS websites revoked. certificates that were GFI WebMonitor 9 Glossary 115

116 Chained Proxy When client machines connect to more than one proxy server before accessing the requested destination. Console CRL An interface that provides administration tools that enable the monitoring and management of Internet traffic. See Certificate Revocation List D Dashboard Enables the user to obtain graphical and statistical information related to GFI WebMonitor operations. E Expired Certificate An expired certificate has an end date that is earlier than the date when the certificate is validated by GFI WebMonitor. F File Transfer Protocol A protocol used to transfer files between computers. FTP See File Transfer Protocol. G Google Chrome GPO A web browser developed and distributed by Google. See Group Policy Objects. Group Policy Objects An Active Directory centralized management and configuration system that controls what users can and cannot do on a computer network. H Hidden Downloads "Unwanted downloads from hidden applications (for example, trojans) or forgotten downloads initiated by users." GFI WebMonitor 9 Glossary 116

117 HTTP See Hypertext Transfer Protocol. HTTPS See Hypertext Transfer Protocol over Secure Socket Layer (SSL). HyperText Transfer Protocol A protocol used to transfer hypertext data between servers and Internet browsers. HyperText Transfer Protocol over Secure Socket Layer (SSL) A protocol used to securely transfer encrypted hypertext data between servers and Internet browsers. The URL of a secure connection (SSL connection) starts with https: instead of I Internet Browser An application installed on a client machine that is used to access the Internet. Internet Gateway "A computer that has both an internal and an external network card. Internet sharing is enabled, and client machines on the internal network use this computer to access the Internet." L LAN See Local Area Network. LDAP See Lightweight Directory Access Protocol. Lightweight Directory Access Protocol A set of open protocols for accessing directory information such as addresses and public keys. Local Area Network An internal network that connects machines in a small area. M Malware Short for malicious software.unwanted software designed to infect a computer such as a virus or a trojan. Microsoft Forefront Threat Management Gateway A Microsoft product that provides firewall and web proxy services. It also enables administrators to manage Internet access through policies. It is the successor of the Microsoft ISA Server and is part of the Microsoft Forefront line of business security software. GFI WebMonitor 9 Glossary 117

118 Microsoft Forefront TMG See Microsoft Forefront Threat Management Gateway Microsoft Internet Explorer A web browser developed and distributed by Microsoft Corporation. Microsoft Internet Security and Acceleration Server A Microsoft product that provides firewall and web proxy services. It also enables administrators to manage Internet access through policies. Microsoft ISA Server See Microsoft Internet Security and Acceleration Server. Microsoft SQL Server A Microsoft database management system used by GFI WebMonitor to store and retrieve data. Microsoft Windows Live Messenger An instant messaging application developed by Microsoft used by users to communicate on the Internet. Mozilla Firefox MSN Mozilla Firefox is an open source Internet browser. See Microsoft Windows Live Messenger N Non-validated Certificate An non-validated certificate has a start date that falls after the date when the certificate is validated by GFI WebMonitor. NT LAN Manager A Microsoft network authentication protocol. NTLM See NT LAN Manager. P Personal Information Exchange file format PFX A certificate file format that contains the certificate data and its public and private keys. See Personal Information Exchange file format. Phishing The act of collecting personal data such as credit card and bank account numbers by sending fake s which then direct users to sites asking for such information. GFI WebMonitor 9 Glossary 118

119 Port Blocking The act of blocking or allowing traffic over specific ports through a router. Proxy Server A server or software application that receives requests from client machines and responds according to filtering policies configured in GFI WebMonitor. Q Quarantine A temporary storage for unknown data that awaits approval from an administrator. R Revoked Certificate "A revoked certificate is a valid certificate that has been withdrawn before its expiry date (for example, superseded by a newer certificate or lost/exposed private key)." S Spyware Unwanted software that publishes private information to an external source. T Traffic Forwarding The act of forwarding internal/external network traffic to a specific server through a router. U Uniform Resource Locator The address of a web page on the world wide web. It contains information about the location and the protocol. URL See Uniform Resource Locator. User Agent A client application that connects to the Internet and performs automatic actions. V Virus Unwanted software that infects a computer. GFI WebMonitor 9 Glossary 119

120 W WAN See Wide Area Network. Web Proxy AutoDiscovery protocol An Internet protocol used by browsers to automatically retrieve proxy settings from a WPAD data file. Web traffic The data sent and received by clients over the network to websites. WebFilter Edition A configurable database that allows site access according to specified site categories per user/group/ip address and time. WebGrade Database "A database in GFI WebMonitor, used to categorize sites." WebSecurity Edition WebSecurity contains multiple anti-virus engines to scan web traffic accessed and downloaded by the clients. Wide Area Network An external network that connects machines in large areas. WPAD See Web Proxy AutoDiscovery protocol. GFI WebMonitor 9 Glossary 120

121 10 Appendix 1 This section contains the following topics: Assigning Log On As A Service Rights Configuring Routing and Remote Access Disabling Internet Connection Settings On Client Machines 10.1 Assigning Log On As A Service Rights Logon rights control who is authorized to log on to a computer and how they can log on. Log on as a service rights allow a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a separate user account must be assigned the right. Manually assigning Log On As A Service Rights on Windows XP/Vista/7 1. Navigate to Start > Control Panel > Administrative Tools > Local Security Policy. 2. Expand Security Settings > Local Policies > User Rights Assignment. 3. Right-click Log on as a service from the right panel and click Properties. 4. Select the Local Security Setting tab. 5. Click Add User or Group. 6. Key in the account name and click OK. 7. Click Apply and OK. 8. Close Local Security Settings dialog. 9. Close all open windows. Manually assigning Log On As A Service Rights on a Server Machine 1. Navigate to Start > Programs > Administrative Tools > Local Security Policy. GFI WebMonitor 10 Appendix 1 121

122 Screenshot 67: Microsoft Windows Server: Local Security Policy window 2. Expand Security Settings > Local Policies > User Rights Assignment. 3. Right-click Log on as a service from the right panel and click Properties. 4. Select the Local Security Setting tab. 5. Click Add User or Group button. 6. Key in the account name and click OK. 7. Click Apply and OK. 8. Close all open windows. Assigning Log On As A Service Rights Using GPO in Windows Server 2003 To assign Log on as service rights on clients machines through Windows Server 2003 GPO: 1. Navigate to Start > Programs > Administrative Tools > Active Directory Users and Computers on the DNS server. 2. Right-click the domain node and click Properties. GFI WebMonitor 10 Appendix 1 122

GFI Product Manual Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

GFI Product Manual Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

Product Manual Administration and Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is" with

GFI Product Manual ReportPack Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of

GFI Product Manual Administration and Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is"

GFI Product Manual Web security, monitoring and Internet access control Evaluation Guide Part 1: Quick Install The information and content in this document is provided for informational purposes only and

GFI Product Manual Getting Started Guide http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty

GFI Product Manual Getting Started Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or

GFI MailSecurity 2011 for Exchange/SMTP Getting Started Guide http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as

GFI Product Manual Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.

GFI Product Manual Version 6.0 Getting Started Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either

GFI Product Manual Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

GFI Product Manual Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

Interworks Interworks Cloud Platform Installation Guide Published: March, 2014 This document contains information proprietary to Interworks and its receipt or possession does not convey any rights to reproduce,

GFI Product Guide Archive Assistant The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

Getting Started Guide Review system requirements and follow the easy steps in this guide to successfully deploy and test GFI FaxMaker. The information and content in this document is provided for informational

GFI Product Guide GFI MailArchiver Archive Assistant The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either

Kaspersky Security 9.0 for Microsoft SharePoint Server Administrator's Guide APPLICATION VERSION: 9.0 Dear User! Thank you for choosing our product. We hope that this document will help you in your work

GFI Product Manual Outlook Connector User Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is" with no

User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

MANJRASOFT PTY LTD Aneka 3.0 Manjrasoft 5/13/2013 This document describes in detail the steps involved in installing and configuring an Aneka Cloud. It covers the prerequisites for the installation, the

9 CHAPTER This chapter describes how to configure the CSC SSM using the CSC Setup Wizard in ASDM and the CSC SSM GUI, and includes the following sections: Information About the CSC SSM, page 9-1 Licensing

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

GFI Product Manual Outlook Connector Manual The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express

NETWRIX EVENT LOG MANAGER QUICK-START GUIDE FOR THE ENTERPRISE EDITION Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not

GFI Product Manual The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied, including but

Faqs > PC security Before Installation Q1. Does PC Security work with other antivirus or firewall software installed on my computer? Ans.: No. You cannot have two antivirus solutions from different vendors

GFI Product Guide Administrator Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied,

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

GFI Product Manual GFI MailArchiver Outlook Addon The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express

Kaseya 2 Kaseya Server Setup Installation guide Version 7.0 English September 4, 2014 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept

Setting Up a Unisphere Management Station for the VNX Series P/N 300-011-796 Revision A01 January 5, 2010 This document describes the different types of Unisphere management stations and tells how to install

Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES TECHNICAL ARTICLE November/2011. Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment

Symantec LiveUpdate Administrator Getting Started Guide Symantec LiveUpdate Administrator Getting Started Guide The software described in this book is furnished under a license agreement and may be used

This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard. Other topics covered include Email Security interface navigation,

GFI Product Guide GFI Archiver and Office 365 Deployment Guide The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind,

Remote Console Installation & Setup Guide November 2009 Legal Information All rights reserved. No part of this document shall be reproduced or transmitted by any means or otherwise, without written permission

Installing GFI MailEssentials Introduction to installing GFI MailEssentials This chapter explains the procedure on how to install and configure GFI MailEssentials. GFI MailEssentials can be installed in

Installation and Deployment Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc. Installation and Deployment SmarterStats

Dell One Identity Cloud Access Manager 7.0.2 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under